I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

permissions. It's time for that to change.

In the basic Linux permission scheme, permissions are assigned to the owner of a file, the group owner of a file, and everyone else. Every file -- and directory -- on the Linux system has one user owner and one group owner. A Linux administrator can call up the list of current owners and the permissions assigned to them with the ls -l command (see listing 1).

Listing 1: Displaying current permission assignments in a Linux system

Sanders-computer:~ sandervanvugt$$ ls -l

total 24

drwx------+ 13 sandervanvugt staff 442 Oct 20 20:17 Desktop

drwx------+ 103 sandervanvugt staff 3502 Oct 21 08:37 Documents

drwx------+ 289 sandervanvugt staff 9826 Oct 21 10:05 Downloads

drwx------@ 51 sandervanvugt staff 1734 Sep 22 16:31 Library

drwx------+ 29 sandervanvugt staff 986 Oct 9 07:59 Movies

drwx------+ 5 sandervanvugt staff 170 May 21 23:19 Music

drwx------+ 24 sandervanvugt staff 816 Sep 19 22:21 Pictures

drwxr-xr-x+ 4 sandervanvugt staff 136 Apr 12 2013 Public

drwxr-xr-x 3 sandervanvugt staff 102 Sep 22 16:31 Samsung

-rwxr-xr-x 1 sandervanvugt staff 324 Sep 23 11:51 bart1

-rw-r--r-- 1 sandervanvugt staff 148 Aug 14 13:12 rekenprogrammaLOG

-rwxr-xr-x 1 sandervanvugt staff 607 Jul 3 16:59 script3

The default Linux permission scheme works fine if there is just one owner or one group needed on a file.

However, if you need to give one group of users full control of a file, another group only needs to read the file, and others aren't allowed to even access the file, then the default permissions can't help you -- but Linux ACLs can.

A Linux ACL assigns trustees to a file, allowing multiple users and multiple groups to have permissions. You can also set default access control lists, which apply default permissions to any new items created in a directory.

The setfacl command sets permissions using an ACL. The Linux system will display current ACL assignments via the getfacl command (see listing 2).

Applying permissions is straightforward. If, for example, a Linux administrator wants to give members of the organization's sales group access to all files in the directory /groups/account, they would use: setfacl -R -m g:sales:rx /groups/account.

In this command, the option -R is used to apply the ACL recursively to all existing items in the directory /groups/account. The -m option is used to modify the ACL, followed by g for group, then the name of the group and the permissions being assigned.

Listing 2. How to show a Linux ACL's permissions with getfacl

[root@tls groups]# getfacl account/

# file: account/

# owner: root

# group: account

user::rwx

group::rwx

group:sales:r-x

mask::rwx

other::---

Don't worry if a mask appears as a result of the getfacl command; it is modified automatically.

The default Linux ACL

A Linux ACL command sets permissions on current files, but it doesn't do anything on new files automatically. Typically, if an administrator applies an ACL to a directory, they also want that ACL to apply to all new files created in that directory. This is the prerogative of default ACLs.

Adding a default ACL is as simple as repeating the previous setfacl command with the d option added. To assign the permissions to all new files in that directory, deploy the following command as well:

setfacl -m d:g:sales:rx /groups/account

You can also use getfacl to check current default ACL settings for a directory, as shown in listing 3.

Listing 3. Checking default Linux ACL assignments

[root@tls groups]# getfacl account/

# file: account/

# owner: root

# group: account

user::rwx

group::rwx

group:sales:r-x

mask::rwx

other::---

default:user::rwx

default:group::rwx

default:group:sales:r-x

default:mask::rwx

default:other::---

Once a default ACL is set, the new permissions will be applied to all items that are created in that directory.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy